Cloud Security has been a serious issue since the concept of the cloud began. The classic example was initially the discomfort of a shift from physically seeing the IT security infrastructure to simply trusting someone else with it virtually. Back in 2012, Serviceteam IT carried out major business process project for an insurance sector organisation. The conversation regarding data being located in the the Cloud was very short. Under no circumstances, no matter how much cheaper or how much more flexible, as cloud security was considered low.
Thankfully both the marketplace, and the organisation in the example above, have moved on and are cautiously adopting the benefits the cloud can offer. Last year the Enterprise Cloud Computing Survey from IDG revealed concerns that cloud security are still significant at 52%. Our own UK Cloud Snapshot Survey reveals 43% of respondents from UK organisations still cite cloud security as being the greatest barrier to cloud adoption. We can take encouragement from the downward trend, perhaps due to both improved cloud security and better end-user understanding.
One way to ensure a full understanding of cloud security, and security in general, is to understand the levels of your infrastructure that require protection. A simplistic multi-level infrastructure model, from the physical level, to the network level, to the applications.
Physical Security
Not so long ago physical security was a significant issue, as data centres were vulnerable and accessible to anyone almost, especially an in-office comms room. Companies recognised this risk, and therefore took the necessary steps to safeguard the physical infrastructure. Cloud has been has been a key player in alleviating physical security concerns. The expansion of the data centre for colocation, to the then centralisation of servers to purchase a ‘slice’ to now deploying applications without having to consider the server.
With almost all cloud providers, physical security concerns almost completely disappear, Partially due to the additional checks and measures carried out at data centre locations. Partially due to the distributed nature of the application, as the data will not only be encrypted on disk, but most probably meaningless as it’s balanced between multiple buckets.
Network Security
The second area to consider is the network, which is of upmost concern to Serviceteam IT. As an industry, cloud and IT professionals have made a great deal of progress in securing operating systems and basic networking. Almost all organisations have the necessary cyber security tools, firewalls, access control lists and intrusion detection to safeguard against outside attacks to an internal network.
The greater challenge has come with the adoption of an ‘outside’ network, where the end-point is trusted, however, the traversal has been via the Internet. Cloud Connectivity can now take care of the network cloud security concerns, as the links have become both dedicated and secure.
Application Security
As the bottom of the ‘funnel’ has been, and can be, better secured, this has forced potential attackers to target higher up the stack. A common trend is tampering with customised applications, impersonating users or compromising some other user end-point. Whilst application security is a continual challenge, businesses can implement tools such as application monitoring. multi-factor authentication or group policy for additional protection and user verification.
Within the application layer, the emphasis should be on identifying vulnerabilities. Simple house keeping such as log file analysis, patch management, filters, scanners and yes, good old back-up! The digital world can be rather dangerous, therefore, security-aware application design, application security testing, and runtime application self-protection all combined with context-aware and adaptive access controls are needed.
Cloud Security Conclusion
Positioning as “inside” or “outside” security is very much for the past. Along with three digit passwords, open relays and no user-access controls. The simple recognition that perimeter defence is simply not enough. Applications need to be considered more actively in regards to their impact upon security as a whole.
Perhaps in the coming years the number of organisations expressing concerns regarding cloud security will continue to fall. Most probably when organisations are more comfortable with network security and application security is more robust.